Software vulnerability patching is too slow

Security holes and vulnerabilities are to be expected, but not enough is being done to patch holes quickly enough. This is the conclusion of Heimdal Security who conducted analysis of software vulnerabilities. The security firm found that while security problems are on the increase, companies are failing to keep pace and issues remain unaddressed for too long. It's something that hackers are taking advantage of, and user data is being left at great risk. Heimdal Security found that between 60 and 90 percent of attacks from hackers take advantage of this fact.

A number of key culprits are singled out for particular attention — names that will be familiar to most: Oracle Java Runtime environment, Adobe Acrobat Reader, Adobe Flash Player, and Apple QuickTime. The biggest offender, by quite some margin, is Java Runtime environment, blighted by 48 vulnerabilities in 2012, a staggering 180 in 2013, and 90 so far in 2014. According to CVE Details, the average severity rating for all of the vulnerabilities found in each of the four products. Using the CVSS (Computer vulnerability severity system), which rates issue severity on a 1 to 10 scale, the average rating is 7.8 for Java — and that's the best of the bunch. Adobe's two products were rated 9.2.

So what is being done to address the issues as they are detected? Not enough. CEO of Heimdal Security, Morten Kjaersgaard, says: "Considering the severity and mass of security flaws we see in software released by key vendors, you may think that security gaps should be closed faster. However, our data actually indicates that it can take as many as 12 months between patches for Apple Quicktime to be released." Despite the huge number of security holes detected in its software, Oracle pumps out an update once every couple of months on average. Adobe and Apple fare just about as badly.

All of these products are still widely used. In fact, QuickTime is actually almost three times as popular now as in 2012. But while Apple's media player may only be installed on 33 percent of computers, the two Adobe products and Java Runtime are found on more than 80 percent of systems. Heimdal Security points out that this is particularly worrying as some 27 percent of emails contain malicious URLs which exploit known software vulnerabilities. What is perhaps more troubling is that it is business systems that have been used in the studies. The figures may be slightly different for home computers, but it is business systems that house the most sensitive data in the greatest quantities.